Harden auth and outbound admin surfaces

2026-05-23 21:12:45 +12:00
parent d9ac54a2ff
commit 1ce01ec348
15 changed files with 495 additions and 110 deletions
@@ -1,13 +1,15 @@
 from datetime import datetime, timezone
-from typing import Dict, Any, Optional
+from typing import Any, Dict, Optional

-from fastapi import Depends, HTTPException, status, Request
+from fastapi import Depends, HTTPException, Request, Response, status
 from fastapi.security import OAuth2PasswordBearer

+from .config import settings
 from .db import get_user_by_username, set_user_auth_provider, upsert_user_activity
-from .security import safe_decode_token, TokenError, verify_password
+from .network_security import request_trusts_forwarded_headers
+from .security import TokenError, safe_decode_token, verify_password

-oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login")
+oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/auth/login", auto_error=False)


 def _is_expired(expires_at: str | None) -> bool:
@@ -24,20 +26,79 @@ def _is_expired(expires_at: str | None) -> bool:
        parsed = parsed.replace(tzinfo=timezone.utc)
    return parsed <= datetime.now(timezone.utc)

+
 def _extract_client_ip(request: Request) -> str:
-    forwarded = request.headers.get("x-forwarded-for")
-    if forwarded:
-        parts = [part.strip() for part in forwarded.split(",") if part.strip()]
-        if parts:
-            return parts[0]
-    real_ip = request.headers.get("x-real-ip")
-    if real_ip:
-        return real_ip.strip()
-    if request.client and request.client.host:
-        return request.client.host
+    direct_host = request.client.host if request.client else None
+    if request_trusts_forwarded_headers(direct_host):
+        forwarded = request.headers.get("x-forwarded-for")
+        if forwarded:
+            parts = [part.strip() for part in forwarded.split(",") if part.strip()]
+            if parts:
+                return parts[0]
+        real_ip = request.headers.get("x-real-ip")
+        if real_ip:
+            return real_ip.strip()
+    if direct_host:
+        return direct_host
    return "unknown"


+def _cookie_settings() -> dict[str, Any]:
+    samesite = str(settings.auth_cookie_samesite or "lax").strip().lower()
+    if samesite not in {"lax", "strict", "none"}:
+        samesite = "lax"
+    return {
+        "secure": bool(settings.auth_cookie_secure),
+        "httponly": True,
+        "samesite": samesite,
+        "domain": settings.auth_cookie_domain or None,
+        "path": "/",
+    }
+
+
+def _state_cookie_settings() -> dict[str, Any]:
+    cookie = _cookie_settings()
+    cookie["httponly"] = False
+    return cookie
+
+
+def set_auth_cookies(response: Response, token: str) -> None:
+    max_age = max(60, int(settings.jwt_exp_minutes or 720) * 60)
+    response.set_cookie(
+        settings.auth_cookie_name,
+        token,
+        max_age=max_age,
+        **_cookie_settings(),
+    )
+    response.set_cookie(
+        settings.auth_state_cookie_name,
+        "1",
+        max_age=max_age,
+        **_state_cookie_settings(),
+    )
+
+
+def clear_auth_cookies(response: Response) -> None:
+    response.delete_cookie(settings.auth_cookie_name, path="/", domain=settings.auth_cookie_domain or None)
+    response.delete_cookie(
+        settings.auth_state_cookie_name,
+        path="/",
+        domain=settings.auth_cookie_domain or None,
+    )
+
+
+def _extract_access_token(request: Request, oauth_token: Optional[str]) -> Optional[str]:
+    auth_header = request.headers.get("authorization", "")
+    if auth_header.lower().startswith("bearer "):
+        return auth_header.split(" ", 1)[1].strip()
+    if oauth_token:
+        return oauth_token
+    cookie_token = request.cookies.get(settings.auth_cookie_name)
+    if isinstance(cookie_token, str) and cookie_token.strip():
+        return cookie_token.strip()
+    return None
+
+
 def resolve_user_auth_provider(user: Optional[Dict[str, Any]]) -> str:
    if not isinstance(user, dict):
        return "local"
@@ -122,24 +183,28 @@ def _load_current_user_from_token(
    }


-def get_current_user(token: str = Depends(oauth2_scheme), request: Request = None) -> Dict[str, Any]:
-    return _load_current_user_from_token(token, request)
-
-
-def get_current_user_event_stream(request: Request) -> Dict[str, Any]:
-    """EventSource cannot send Authorization headers, so allow a short-lived stream token via query."""
-    token = None
-    stream_query_token = None
-    auth_header = request.headers.get("authorization", "")
-    if auth_header.lower().startswith("bearer "):
-        token = auth_header.split(" ", 1)[1].strip()
-    if not token:
-        stream_query_token = request.query_params.get("stream_token")
-    if not token and not stream_query_token:
+def get_current_user(
+    request: Request,
+    token: Optional[str] = Depends(oauth2_scheme),
+) -> Dict[str, Any]:
+    resolved_token = _extract_access_token(request, token)
+    if not resolved_token:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Missing token")
+    return _load_current_user_from_token(resolved_token, request)
+
+
+def get_current_user_event_stream(
+    request: Request,
+    token: Optional[str] = Depends(oauth2_scheme),
+) -> Dict[str, Any]:
+    """EventSource cannot send Authorization headers, so allow a short-lived stream token via query."""
+    resolved_token = _extract_access_token(request, token)
+    stream_query_token = request.query_params.get("stream_token")
+    if resolved_token:
+        # Allow standard bearer tokens for non-browser EventSource clients.
+        return _load_current_user_from_token(resolved_token, None)
+    if not stream_query_token:
        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Missing token")
-    if token:
-        # Allow standard bearer tokens in Authorization for non-browser EventSource clients.
-        return _load_current_user_from_token(token, None)
    return _load_current_user_from_token(
        str(stream_query_token),
        None,